Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Un bundle di attendibilità, noto anche come elenco di attendibilità, è un gruppo di ancore di attendibilità, ad esempio entità, intrinsecamente attendibili e la cui attendibilità non viene trasferita da un'altra entità (terze parti attendibili). Questi trust anchor vengono forniti come
certificati dell'autorità di certificazione (CA). L'algoritmo di creazione del percorso di certificazione utilizza questi certificati CA per stabilire una catena tra un certificato che ottiene la convalida e i trust anchor.
Google Distributed Cloud (GDC) con air gap dispone di bundle di attendibilità dedicati. Questa guida descrive
i passaggi per recuperare il bundle di attendibilità per gli amministratori dell'organizzazione.
Tipi di bundle di attendibilità
Distributed Cloud fornisce due tipi di bundle di attendibilità gestiti per gli amministratori della piattaforma:
trust-store-root-ext: contiene la CA radice interna e la CA web-tls. I
contenuti variano a seconda della posizione in cui si trovano, ad esempio la radice o
l'organizzazione tenant. Utilizza questo bundle di attendibilità per comunicare oltre i confini dell'organizzazione o per accedere a servizi come l'archiviazione di oggetti all'interno dell'organizzazione.
trust-store-global-root-ext: disponibile nello spazio dei nomi del server API globale e del server API di zona platform. Quando il server API globale è pronto, il
bundle compila tutti gli altri dati trust-store-root-ext zonali, inclusi i dati
locali.
Recupera il bundle di attendibilità
Puoi recuperare i bundle di attendibilità dall'endpoint server noto o dal
cluster utilizzando kubectl.
Recupero dal server noto
GDC fornisce un modo sicuro per accedere ai bundle di attendibilità
tramite un endpoint server noto. Utilizza questo metodo quando devi recuperare
il bundle trust-store-global-root-ext senza interagire direttamente con il
cluster utilizzando kubectl.
Esporta le seguenti variabili di ambiente:
exportSTORAGE=STORAGEexportORG_NAME=ORG_NAME
Sostituisci quanto segue:
STORAGE: il percorso della directory in cui vuoi
archiviare il file del bundle di attendibilità.
ORG_NAME: il nome della tua organizzazione in
GDC.
Imposta la variabile di ambiente GLOBAL_TRUST_BUNDLE_FILE. Questo file archivia il
bundle di attendibilità GDC localmente nella posizione $STORAGE
specificata.
Puoi recuperare i bundle di attendibilità direttamente dal cluster GDC
utilizzando lo strumento a riga di comando kubectl. Utilizza questo metodo se hai
accesso diretto al cluster e alla sua configurazione e devi recuperare i bundle di attendibilità trust-store-root-ext o trust-store-global-root-ext.
Prima di poter completare i passaggi descritti in questa sezione, devi ottenere quanto segue:
Autorizzazioni richieste: chiedi all'amministratore IAM dell'organizzazione di concederti il ruolo Visualizzatore trust store (trust-store-viewer).
MANAGEMENT_API_SERVER_KUBECONFIG: il percorso del file kubeconfig del server dell'API Management.
STORAGE: il percorso della directory in cui vuoi
archiviare il file del bundle di attendibilità.
ZONE: il nome della zona GDC.
Imposta la variabile di ambiente TRUST_BUNDLE_FILE. Questo file archivia
il bundle di attendibilità GDC localmente nella posizione $STORAGE
specificata per il tuo $ZONE GDC:
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-04 UTC."],[[["\u003cp\u003eTrust bundles in Google Distributed Cloud (GDC) air-gapped environments are groups of trusted entities, such as certificate authorities (CAs), used to establish secure communication and are delivered as CA certificates.\u003c/p\u003e\n"],["\u003cp\u003eGDC provides two types of managed trust bundles: \u003ccode\u003etrust-store-root-ext\u003c/code\u003e for internal communication within or between organizations, and \u003ccode\u003etrust-store-global-root-ext\u003c/code\u003e for global API server access, which then populates \u003ccode\u003etrust-store-root-ext\u003c/code\u003e data.\u003c/p\u003e\n"],["\u003cp\u003eTo fetch these trust bundles, users need the Trust Store Viewer role and must have the kubeconfig file for the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves exporting environment variables, setting a trust bundle file location, and using \u003ccode\u003ekubectl\u003c/code\u003e commands to retrieve the CA certificates and store them in the designated file.\u003c/p\u003e\n"],["\u003cp\u003eThe fetched trust bundle file will store one or more CA certificates in a format that begin and end with the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer, respectively.\u003c/p\u003e\n"]]],[],null,["# Fetch GDC trust bundles\n\nA trust bundle, also known as a trust list, is a group of trust anchors, such\nas entities, that are inherently trusted and whose trust is not transferred by\nanother entity (trusted third parties). These trust anchors are delivered as\ncertificate authority (CA) certificates. The certification path-building\nalgorithm uses these CA certificates to establish a chain between a certificate\nobtaining validation and the trust anchors.\n\nGoogle Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines\nthe steps to fetch the trust bundle for organizational administrators.\n\nTrust bundle types\n------------------\n\nDistributed Cloud provides two types of managed trust bundles for platform\nadministrators:\n\n- `trust-store-root-ext`: contains the internal root CA and web-tls CA. The\n content is different depending on where it resides, such as the root or\n the tenant organization. Use this trust bundle to communicate across\n organization boundaries or to access services like object storage within the\n organization.\n\n- `trust-store-global-root-ext`: available in the global API server and zonal\n API server `platform` namespace. When the global API server is ready, the\n bundle populates all other zonal `trust-store-root-ext` data, including local\n data.\n\nFetch the trust bundle\n----------------------\n\nYou can fetch trust bundles from the well-known server endpoint, or from the\ncluster using `kubectl`.\n\n### Fetch from the well-known server\n\nGDC provides a secure way to access trust bundles\nthrough a well-known server endpoint. Use this method when you need to fetch\nthe `trust-store-global-root-ext` bundle without directly interacting with the\ncluster using `kubectl`.\n| **Caution:** When fetching trust bundles from the well-known server, it's crucial to protect against person-in-the-middle (PITM) attacks. Make sure that you're connecting to a secure and controlled environment.\n\n1. Export the following environment variables:\n\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ORG_NAME=\u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e: the name of your organization within GDC.\n2. Set the `WELL_KNOWN_URL` environment variable:\n\n export WELL_KNOWN_URL=https://console.${ORG_NAME:?}.google.gdch.test/.well-known/certificate-authority\n\n3. Set the `GLOBAL_TRUST_BUNDLE_FILE`environment variable. This file stores the\n GDC trust bundle locally in your specified `$STORAGE`\n location.\n\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n4. Obtain the `trust-store-global-root-ext` trust bundle from the well-known\n server and store it in the file created in the previous step:\n\n ### Linux\n\n echo -n | curl ${WELL_KNOWN_URL:?} \u003e ${GLOBAL_TRUST_BUNDLE_FILE:?}\n\n ### Windows\n\n Invoke-WebRequest -Uri \"https://console.${ORG_NAME}.google.gdch.test/.well-known/certificate-authority\" -OutFile \".\\global-trust-bundle.crt\"\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----\n\n### Fetch from the cluster using kubectl\n\nYou can fetch trust bundles directly from the GDC\ncluster using the `kubectl` command-line tool. Use this method if you have\ndirect access to the cluster and its configuration, and you need to fetch either\nthe `trust-store-root-ext` or the `trust-store-global-root-ext` trust bundles.\n\nYou must obtain the following before you can complete the steps in this section:\n\n- **Required permissions** : Ask your Organization IAM Admin to grant you the Trust Store Viewer (`trust-store-viewer`) role.\n- **Kubeconfig file** : Sign in and [generate the kubeconfig file for the Management API server](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#zonal-resources-kubeconfig) if you don't already have one. You need the path to the kubeconfig file to replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e in the following steps.\n\nFetch the trust bundle from the cluster using `kubectl`:\n\n1. Export the following environment variables:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ZONE=\u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e: the path to the Management API server kubeconfig.\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: your GDC zone name.\n2. Set the `TRUST_BUNDLE_FILE` environment variable. This file stores\n the GDC trust bundle locally in your specified `$STORAGE`\n location for your GDC `$ZONE`:\n\n export TRUST_BUNDLE_FILE=\"$STORAGE/$ZONE/ca-bundles/trust-bundle\"\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n3. Set the `NS` namespace environment variable for the namespace:\n\n export NS=platform\n\n4. Obtain the certificate authorities (CA) and store them in the file created in\n step 2:\n\n For `trust-store-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${TRUST_BUNDLE_FILE}\n\n For `trust-store-global-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-global-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${GLOBAL_TRUST_BUNDLE_FILE}\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----"]]